The final HIPAA omnibus rule released late last week holds business associates (BAs) and subcontractors (the BA of a business associate) directly liable for compliance with the HIPAA rules, and sets a deadline for compliance with the new modifications. There’s some cushion time though – the final rule isn’t officially effective until March 26, and even after the date, covered entities and business associates of all sizes will have 180 days to be in compliance. According to HealthDataManagement.com, covered entities will have one year from the compliance date to modify business associate agreements to match the new requirements.

This may not be enough time for BAs and subcontractors to achieve compliance with the modified rules, especially for those that were never initially in compliance. However, this works two-fold to 1) weed out quality HIPAA hosting providers that focus on the healthcare compliance market from the rest; 2) increase the ease of covered entities in securing patient data and maintaining patient privacy by limiting the hosting provider market.

Compliance is time-consuming and expensive, but the service providers that are willing and able to make that commitment will fare well in the healthcare market, especially since covered entities and BAs are now legally liable for the acts of their subcontractors and therefore monetarily motivated to have a vested interest in the security practices of their hosting providers.

The Medical Group Management Association (MGMA) issued their own comments on the modifications – they’ve voiced concerns over the short time frames alloted to get up to speed, as reported by HealthDataManagement.com:

We are strongly supportive of comprehensive privacy and security standards aimed at avoiding unauthorized use or disclosure of patient health information. However, it is critical that the safeguards mandated by the government be practical, flexible and affordable for the broad spectrum of medical practices.

We are concerned about the ability of practices to implement the changes associated with this final rule, including the requirement to modify and reissue notices of privacy practices and modify business associate agreements–within the short time frames allotted. We will continue to monitor our member practices to ensure that administrative burdens imposed by the government do not hinder the necessary flow of health information for patient treatment, payment and healthcare operations purposes.

Considering the definition of a BA has expanded to include patient safety organizations, health information organizations, e-prescribing gateways, providers of data transmission services for protected health information to a covered entity, etc., the rule comes as a serious wake-up call to providers that haven’t done their due diligence in the security arena. A compromise has to be made between the degree of federally ordered ‘administrative burdens’ and the need to tighten up patient data security.

So how do you start the arduous process of establishing a culture of security in your organization? Conducting a HIPAA risk analysis is the first step toward implementing the HIPAA Security Rule safeguards. The first mandatory component of the nine outlined by the HHS is the scope of the analysis; meaning any potential risks and vulnerabilities to the privacy, availability and integrity of ePHI. For a full list of the risk analysis components, read What’s in a HIPAA Risk Analysis?

Other best practices include:

Document data management, security, training and notification plans.

Use a password policy for access.

Encrypt PHI, whether it is in a database or in files on a server. Although not required by HIPAA, it is strongly suggested and considered best practice to do so while stored in the database, and especially during transmission. More encryption considerations:

Always use SSL for web-based access of any sensitive data.

Encryption techniques and mechanisms of sensitive information should be known to only a select few.

Content such as images or scans should be encrypted and contain no personally identifying information.

If you’re a covered entity/healthcare organization, you might need to reassess your vendors now that the final omnibus rule dictates that covered entities are held liable for the actions of their BAs/subcontractors. Read Five Questions to Ask Your HIPAA Hosting Provider that will help ensure you can meet the HHS’s deadline this spring.